Policy Generator ensures the process of creating optimal security segmentation policies for any type of workload (bare-metal, virtual machines, containers) is simple—regardless of where it’s running.
Policy Generator is a simple workflow built into Illumio Core. It pairs with Illumio Core's labeling and policy modeling capabilities to provide an easy-to-use interface for creating segmentation policies. It matches historical connections, the processes these flows communicate with, and workload labels to automatically suggest policies for controlling intra- and inter-application traffic.
Simplify collaboration between application owners and security
Policy Generator allows you to build segmentation policies that protect critical applications. You can assign different teams ownership of different applications using role-based access control (RBAC):
- Application owners can use Policy Generator to review flows and create segmentation policies for individual applications, but they will not have the ability to approve and provision those policies—this is typically the responsibility of another group to ensure a separation of duties. Application owners can create these rules using declarative policies that use labels. Application teams therefore do not need to understand the underlying network infrastructure or keep track of networking constructs, such as IP addresses and VLANs, to create robust policy.
- Security teams can view, test, update, and the policies proposed by application teams.
Define policies with the right level of granularity
Policy Generator provides an easy-to-use interface for selecting the granularity (or level of restrictiveness) of your organization’s segmentation policies. You can define traffic restrictions for workloads at the environment level (least granular), application level, role/tier level, or even by the process/service running on individual workloads (most granular).
Leverage vulnerability information to create risk-based policies
When vulnerability maps are enabled, Policy Generator incorporates vulnerability information and the exposure of each vulnerability, which can be used to prioritize patching. If patching is not an option, Policy Generator will recommend segmentation policies that can be used as a compensating control until a patch is available.
"The most fascinating thing about Illumio is their simplicity with respect to policy creation. The UI shows a simplistic map view, which helps admin to create rules without in depth knowledge about the networking components."